XP: Taskbar/Start Menu gone, desktop icons unmovable, more sypmtoms inside

I seem to have picked up some sort of virus. Did a google search for a few syptoms and found this thread: http://www.windowsbbs.com/showthread.php?t=64621
It seems to be my exact symptoms, but the only solution I saw there was a reinstall it looked like. I'd prefer not to have to do that just yet. Here's a list of symptoms I've noticed so far:

-Much slower bootup and logon
-Taskbar is completely gone, not just minimized or too small
-Desktop icons unmovable
-Copy/Paste functions not working
-Missing a few startup applications (including Windows Security Center)
-Windows minimizing like they did in older versions of Windows (pre-95 versions without taskbars)
-General slower performance in other applications
-Sound seems to be coming from PC speaker instead of the usual external speakers

That's all I can think of at the moment. I've been able to run Spybot, AdAware, and the windows malicious software removal tool, none of them fixed it. I could also run AVG Free, but I couldn't update it for some reason. It suggested I try reinstalling it, so I did, but the install won't complete. Before I did that, I ran a scan with the current virus definitions that shouldn't have been much older than a week or so. I've also done a log on HijackThis, but I'm not seeing any option to attach a file here. I'd do a copy/paste on it but....I can't. It's at *removed by request* for anyone who needs it. If you really don't trust me enough to get it there, well, I guess I can type it all out.

So, any help, or at least positive identification on virus name or something?

 

Welcome to WindowsBBS Flapdoodle

Please download and run Deckard's System Scanner as outlined in the following link.

http://www.windowsbbs.com/announcement.php?f=41

Try to copy and paste the results using Ctrl+C to copy after highlighting, and Ctrl+V to paste. If that doesn't work either, save the main.txt log to a location you can easily find and email it to me. I will review and post it for you. Please put RE: smitRem in the subject line.

BTW, the site you uploaded to throws an awful lot of adware type cookies and TIFs at one's comp, stuff that Ad-aware and Spybot (and other good apps) will flag and remove if found on a system. The link isn't really required (the log appears clean and shows nothing of value for resolving the problem), so I and others would appreciate you edit it out. Thanks

I'll check in tomorrow evening ...... I need sleep.

 

Done, and e-mail sent to you through the forum's e-mail sending form accessed by clicking on your name. I was able to open outlook express and send/recieve mail, but when I tried to create a new message, it gave an error along the lines of "Can't do this, not enough memory." Kinda conflicts with what the task manager was telling me.

I was able to copy the text from Notepad and paste it into the e-mail, but I haven't been able to do that anywhere else. I've tried cut/copy/paste on files on the desktop and elsewhere in folders, and it doesn't go. Highlighting text right now allows me to copy from the Edit menu, but then all the options grey out when I try to paste it somewhere. Odd. At least I didn't have to type the entire log report out by hand, which I would have done since I have nothing better to do right now. I hope it's still formatted properly, I couldn't really tell in the small text box that the e-mail thing gave me.

Sorry about the mediafire link, I was just looking for some sort of free host really quick so I could have that logfile accessible without having to type it out. The site didn't look terribly fishy, and I've seen/heard people using it without accompanying horror stories, so I went with it.

Thanks a bunch for taking time to help me with this, it's greatly appreciated.

 

I've moved your topic to the appropriate forum for malware/virus related issues.

Please upload the following 2 files to jotti for analysis, then see if you can copy the results and post them here. Please note the svchost file's date and time of creation as well as the size. Note also that it's not showing us an extension for that file either. There is a legitimate file named svchost.exe

2007-10-08 05:45:04 1641880 --a------ C:\WINDOWS\system32\a.exe
2007-10-08 05:44:43 31590 --a------ C:\WINDOWS\system32\svchost

 

Gah, I should have looked at the forums more closely to see if there was a specific virus one, I just put the thread in the same forum that I found the other thread on.

Anyway, a.exe:
status: infected/malware
md5: 51576e9f9d75541dffa3d8a2d4302b4e
packers detected: exestealth
bit9 reports: file not found
The only scanner that didn't report "found nothing" was Norman Virus Control, which reported "Found PoisonIvy.gen15 "

svchost:
status: OK
md5: 19c0ebbce6cbc207c76d1843ae0eb883
packers detected: -
bit9 reports: file not found
All scanners reported "found nothing. "

I'm gonna have some dinner and a shower, then do a google search on PoisonIvy.gen15 or Exestealth to see what I can find while waiting for your response.

 

Please upload the svchost file to my submission channel. Leave a link back to this topic.

Then, delete a.exe and move svchost to the C: drive for now.
Click Start>Run and type %temp% then hit enter. Delete everything you can in that folder.
Open C:\Windows\Prefetch and delete everything except the file layout.ini (may be a hidden file).
Open C:\Windows\Temp and delete everything you're able to.
Empty the recycle bin.

Run an online virus scan with Panda.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC now button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Select the appropriate Yes or No to receiving marketing information
• Click the Free Online Scan button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report, or email it to me if you still can't copy/paste.

Let me know if any of the symptoms persist.

 

Thanks for that file. It looks to me like, and maybe you can confirm this by the content below, that it is a log made by a keylogger logging keystrokes on your machine.

Here's a bit of an excerpt. Pay no attention to the numbers before the colon.

Part of an instant message conversation, mixed with keystrokes made while playing a game?

 

Uploaded svchost to your link, deleted the things you requested. Two files remained in %temp% that were in use by another program. Was unable to move svchost out of windows/system32 due to not being able to cut/paste or drag files/icons. I did however rename it to "NOTsvchost" so that it would no longer be confusing anything trying to run svchost.exe. I was unable to run Panda's ActiveScan: when I went there in Firefox, it told me to use IE. When I went there in IE, the two "Scan your PC now" buttons didn't do anything when clicked. The "Free Online Scan" link under the Shortcuts sidebar of the main page of the site doesn't do anything either. They all work in Firefox, but do nothing when clicked in IE.

My next line of thought is give the machine a reboot and see if things are cleaned up and run the free scan as assurance. Your thoughts?

 

Yeah, exactly it. Part of an AIM convo followed by logging in to WoW. Fortunately, that's a password completely independent of anything else I use (but still edit out if you would), plus I don't think I've logged on to anything important (online banking and such) in the timeframe that I think I've gotten infected.

 

Sorry about that .... never even thought about that being a password It's gone now (I hope).


Delete that svchost file, then empty the recycle bin again.

Reboot.

Download Dr.Web CureIt, saving the file to your desktop.

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when (if) something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.

Post it here if you're able, otherwise email to me.

 

S'fine, like I said, it's independent of anything else, plus there was no accompanying user name to go with it. I looked through the svchost file on textpad, and fortunately, it seems that it didn't log anything except a little general internet browsing, a couple AIM convos, and a bit of WoW time.

Okay, commencing deletion and reboot!

 

Start menu back, dragging icons/files works, copy/paste works, I'm at the opening screen of that Panda scan in IE. I'll run the CureIt thing, then probably the Panda scan just for assurance. Seems to be fixed for the most part now though. I'll update in a bit after stuff has run.

 

Great!

Copy the following command.

sc config usprserv start=disabled

Click Start>Run and paste it in then hit enter.

Now copy the next command an d paste it in and hit enter.

regedit.exe /e c:\usprserv.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usprserv "

Open the c:\usprserv.txt file it creates and post it's contents here.

Please submit c:\windows\system32\svchost.exe to both jotti and VirusTotal and post the results of each (I want to see md5 info and such).

 

File: svchost.exe
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 8f078ae4ed187aaabc0a305146de6716
Packers detected:
-
Bit9 reports: No threat detected (more info)


File svchost.exe received on 10.10.2007 05:13:20 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Additional information
File size: 14336 bytes
MD5: 8f078ae4ed187aaabc0a305146de6716
SHA1: da0ff4006859a7580aba81f486f692dead2014fe

usprserv.txt:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usprserv]
"Type "=dword:00000010
"Start "=dword:00000003
"ErrorControl "=dword:00000001
"ImagePath "=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName "= "User Privilege Service "
"ObjectName "= "LocalSystem "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usprserv\Security]
"Security "=hex:01,00,14,80,30,00,00,00,3c,00,00,00,14,00,00,00,00,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00

 

CureIt finished, found three things it called viruses, although I'm not quite sure. One was the executable for mIRC, which I haven't used in years. The other two were related to PopCap games, one was a .dll file, the other seemed to be an unistaller. Had it delete all three, since I doubt I'll miss any of it if it wasn't really infected. Gonna run panda scan now.

 

Panda scan results:

Looks like a bunch of advertising cookies with a few e-mail viruses that are probably just sitting in the trash can of Thunderbird that I haven't emptied yet.

Code:

Incident                                                                        Status                        Location                                                                                                                                                                                                                                                        

Spyware:Cookie/2o7                                                              Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.2o7.net/]                                                                                                                                                 
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.atdmt.com/]                                                                                                                                               
Spyware:Cookie/Tribalfusion                                                     Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.tribalfusion.com/]                                                                                                                                        
Spyware:Cookie/WebtrendsLive                                                    Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[statse.webtrendslive.com/]                                                                                                                                 
Spyware:Cookie/Advertising                                                      Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.advertising.com/]                                                                                                                                         
Spyware:Cookie/Doubleclick                                                      Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.doubleclick.net/]                                                                                                                                         
Spyware:Cookie/Adrevolver                                                       Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.adrevolver.com/]                                                                                                                                          
Spyware:Cookie/Zedo                                                             Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.zedo.com/]                                                                                                                                                
Spyware:Cookie/Com.com                                                          Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.com.com/]                                                                                                                                                 
Spyware:Cookie/Mediaplex                                                        Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.mediaplex.com/]                                                                                                                                           
Spyware:Cookie/YieldManager                                                     Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[ad.yieldmanager.com/]                                                                                                                                      
Spyware:Cookie/YieldManager                                                     Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.ad.yieldmanager.com/]                                                                                                                                     
Spyware:Cookie/RealMedia                                                        Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.realmedia.com/]                                                                                                                                           
Spyware:Cookie/Serving-sys                                                      Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.serving-sys.com/]                                                                                                                                         
Spyware:Cookie/Serving-sys                                                      Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[bs.serving-sys.com/]                                                                                                                                       
Spyware:Cookie/Serving-sys                                                      Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.serving-sys.com/]                                                                                                                                         
Spyware:Cookie/Serving-sys                                                      Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.bs.serving-sys.com/]                                                                                                                                      
Spyware:Cookie/FastClick                                                        Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.fastclick.net/]                                                                                                                                           
Spyware:Cookie/Traffic Marketplace                                              Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.trafficmp.com/]                                                                                                                                           
Spyware:Cookie/Overture                                                         Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.overture.com/]                                                                                                                                            
Spyware:Cookie/Xiti                                                             Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.xiti.com/]                                                                                                                                                
Spyware:Cookie/Statcounter                                                      Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.statcounter.com/]                                                                                                                                         
Spyware:Cookie/Weborama                                                         Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.weborama.fr/]                                                                                                                                             
Spyware:Cookie/QuestionMarket                                                   Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.questionmarket.com/]                                                                                                                                      
Spyware:Cookie/PointRoll                                                        Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.ads.pointroll.com/]                                                                                                                                       
Spyware:Cookie/Go                                                               Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.go.com/]                                                                                                                                                  
Spyware:Cookie/Casalemedia                                                      Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.casalemedia.com/]                                                                                                                                         
Spyware:Cookie/Bluestreak                                                       Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.bluestreak.com/]                                                                                                                                          
Spyware:Cookie/Humanclick                                                       Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[hc2.humanclick.com/]                                                                                                                                       
Spyware:Cookie/Smartadserver                                                    Not disinfected               C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\ocotu0cc.default\cookies.txt[.smartadserver.com/]                                                                                                                                       
Virus:W32/Bagle.EL.worm                                                         Disinfected                   C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\gs83qqpd.default\Mail\Local Folders\Inbox[price2.zip][1.cpl]                                                                                                                                
Virus:Trj/Mitglieder.FA                                                         Disinfected                   C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\gs83qqpd.default\Mail\Local Folders\Inbox[new_price.zip][20_price.exe]                                                                                                                      
Virus:W32/Spamta.QO.worm                                                        Disinfected                   C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\gs83qqpd.default\Mail\Local Folders\Inbox[message.msg.exe]                                                                                                                                  
Spyware:Cookie/Atwola                                                           Not disinfected               C:\Documents and Settings\Ken\Cookies\ken@atwola[2].txt                                                                                                                                                                                                         

 

Okay, I'm fairly confident that whatever this was is probably gone. Still interested in hearing your final thoughts on it though. Also, if you don't mind and have the spare time, I would very much enjoy hearing your analytical process through all this. Example, what you were looking for in system scan results, what all that stuff I deleted was, etc. I'm not entirely unfamiliar with most of this stuff, but I just have very little idea on what to be looking for and would like to have a better knowledge of this, as I'm sure I'll be called on by a family member to deal with something similar in the future. Understandable if you're unable to do this, and I very much appreciate all of your help regardless; I'll try to pass on the karma in some way down the line.

 

I'm pretty sure that you still have a service on your computer that was put there by malware.

3 usprserv (User Privilege Service) - c:\windows\system32\svchost.exe

The sc config command I had you run was meant to set the service to disabled, which didn't happen, according to the export. You did run the sc config command prior to the regedit.exe /e command?? Let's try it another way.

Copy the contents of the quote box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)

Double click fix.reg and allow it to merge with the registry.

Now reboot.

Delete the c:\usprserv.txt file, then run this command again and post the c:\usprserv.txt text file.

regedit.exe /e c:\usprserv.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usprserv "


Let me know if you're experiencing any problems after doing so.

I would also like to double check the signature on one of your system files, to make sure it hasn't been altered. Please go here and download the zip file for File Digital Sign Verify. Save it to the desktop, then extract the contents to it's own folder.

Highlight and copy the contents of the quote box below to a blank notepad. Save it to the FileDigitalSignVerify folder where FileDigitalSignVerify.exe is located as;

Filename: verify.bat
Save as type: All Files (*.*)

Double click verify.bat to run it. It will open verify.txt when it completes. Please post it's contents.

 

verify.txt:

0x800b0100 - C:\WINDOWS\system32\svchost.exe

usprserv.txt

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usprserv]
"Type "=dword:00000010
"Start "=dword:00000004
"ErrorControl "=dword:00000001
"ImagePath "=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName "= "User Privilege Service "
"ObjectName "= "LocalSystem "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usprserv\Security]
"Security "=hex:01,00,14,80,30,00,00,00,3c,00,00,00,14,00,00,00,00,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00

 

Service successfully disabled.

Not liking the verify results. Please create another bat file using the contents of the quote box below. Save it to your desktop as check.bat

Run it and post the contents of check.txt